Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 17:28
Static task
static1
Behavioral task
behavioral1
Sample
2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe
Resource
win10v2004-20231201-en
General
-
Target
2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe
-
Size
819KB
-
MD5
f29554262c858e2e6fd1d828bbade0bc
-
SHA1
7cda09a6c742000f5868888a321216b1d3a72d00
-
SHA256
2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057
-
SHA512
acbfa0c8e8d94cba1994cb23aed0fe0de6f8dc3ec9d2503f957af5990f5d8a923e6a42f9d2b8687540d711bf32d50ef2200a70d75883a67c4d894ddb0475bf2e
-
SSDEEP
24576:4k34/up+pJHkSJPvrxZ3IPtrQGUOfM0eh0Q:h38PJHkSpj4lrHf1Q
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
ajgpjhnhhyeoaeoa - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Windows\CurrentVersion\Run\Blefq = "C:\\Users\\Admin\\AppData\\Roaming\\Blefq\\Blefq.exe" 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exedescription pid process target process PID 2240 set thread context of 2776 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exepowershell.exepowershell.exe2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exepid process 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe 2556 powershell.exe 1944 powershell.exe 2776 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe 2776 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exepowershell.exepowershell.exe2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exedescription pid process Token: SeDebugPrivilege 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 1944 powershell.exe Token: SeDebugPrivilege 2776 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exedescription pid process target process PID 2240 wrote to memory of 1944 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe powershell.exe PID 2240 wrote to memory of 1944 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe powershell.exe PID 2240 wrote to memory of 1944 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe powershell.exe PID 2240 wrote to memory of 1944 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe powershell.exe PID 2240 wrote to memory of 2556 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe powershell.exe PID 2240 wrote to memory of 2556 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe powershell.exe PID 2240 wrote to memory of 2556 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe powershell.exe PID 2240 wrote to memory of 2556 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe powershell.exe PID 2240 wrote to memory of 2612 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe schtasks.exe PID 2240 wrote to memory of 2612 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe schtasks.exe PID 2240 wrote to memory of 2612 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe schtasks.exe PID 2240 wrote to memory of 2612 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe schtasks.exe PID 2240 wrote to memory of 2776 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe PID 2240 wrote to memory of 2776 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe PID 2240 wrote to memory of 2776 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe PID 2240 wrote to memory of 2776 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe PID 2240 wrote to memory of 2776 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe PID 2240 wrote to memory of 2776 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe PID 2240 wrote to memory of 2776 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe PID 2240 wrote to memory of 2776 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe PID 2240 wrote to memory of 2776 2240 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe"C:\Users\Admin\AppData\Local\Temp\2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KGEKGiThiZ.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KGEKGiThiZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4DB3.tmp"2⤵
- Creates scheduled task(s)
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe"C:\Users\Admin\AppData\Local\Temp\2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cf333f82fad927da8a794d478b0e5e9b
SHA1d94a60a530fe32ad9052210a86aaf266cd270ee8
SHA256933a84485da4584141e96eb151dae5b06fca2aa4c99aeb363a9c9be3651dcfdc
SHA512c6cfa07a9373e7e1ea07e7a1081cc649df7f2f7e003e85bfecd379233ba69d4701a63d6b58106112018adf41d574ac4398626890b6c3513787ca387a83eebd4b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S185N3YFG5LVUDM7V2RT.temp
Filesize7KB
MD583b7bf4835e145760df31c236c23d0be
SHA159c2f67ce21a835a8982da6684806c3621b36b78
SHA25686cc537b33d2f8f6ebe39c35149fc8530d6267326d3a16fc6b0bac48ab351a2a
SHA5122069beaf8d8415e2735ae419f7f1c1db844c43209f15bcebf6c9b447b6bce8dbe7b4f8f1c4876e63b5ec754b27dd313c39a402e85ac0a9ee001a0023ba5f4878
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD583b7bf4835e145760df31c236c23d0be
SHA159c2f67ce21a835a8982da6684806c3621b36b78
SHA25686cc537b33d2f8f6ebe39c35149fc8530d6267326d3a16fc6b0bac48ab351a2a
SHA5122069beaf8d8415e2735ae419f7f1c1db844c43209f15bcebf6c9b447b6bce8dbe7b4f8f1c4876e63b5ec754b27dd313c39a402e85ac0a9ee001a0023ba5f4878